In a recent project I was required to use ActivIdentity ActivID for two factor authentication. This post is about my overall experience with the product and its poor approach to HA. While ActivID does work fine, and its tokens look nice and it works OK, this is not a product for any small or medium company, and requires a lot of IT resources to make it work
The two factor token authentication market has many players, and the RSA SecurID solution has first to market advantage. The SecurID product is ‘reassuringly expensive‘ and is the default solution for token authentication. It was mandated from Head Office that ActivID was the chosen product. On a first pass cost analysis, it looked good value for money.
The ActivID 4Tress AAA server software has no licensing requirements and is based on an honesty system. This is refreshing in the modern era, however this was never covered in the documentation and it took over two weeks for the support to be able to indicate that there was no activation or licensing required. Just install it and go.
Note however, that you still have to buy the tokens, so you can’t bypass the licensing in the end.
I was not able to access quality technical support. Because ActivID only wants to work with big companies directly, I was unable to buy a maintenance contract directly from ActivID. I was forced to use a distributor for tech support. At purchase time I had deep misgivings about this knowing that for a non core product like ActivID, the distributor was unlikely to have more than one person trained in the product, and that person was possibly not their best engineer. This turned out to be true and I was unable to get satisfactory answers to any questions. In fact, I was unable to get anyone to answer support questions. Even worse, when I tried to escalate to ActivID and make direct contact, ActivID would refer me back to the distributor and refuse to take my call.
So ActivID 4TRESS AAA server is Windows only, and that includes the management client as well. While this is probably suitable for most corporate IT departments, a significant number of IT people are moving away from Windows on their own desktops. Vendors need to recognise this and move to develop clients that are universal. The Web Help desk does work in any browser but the thick client does not.
The dependency on Microsoft SQL server is similar, and although integration with other systems is possible, tech support becomes a problem (see above). Many organisations are moving to use MySQL instead MSSQL for IT operations and the lack of support for any other database was a disappointment.
High Availability – useless
ActvID have chosen to use a database backend to achieve synchronisation between servers. Which means that you have to install a full MSSQL (or use an existing unit) to allow for data replication. I find this ridiculous. As a network engineer, I do not want to be installing SQL or integrating with a database administrator to maintain such an important system. In effect, this concept designs failure INTO the system.
And the extra cost for MS SQL licenses is not appreciated either. While some organisations will use MSSQL, many more will use Oracle or something similar.
Does what it says on the Tin
The product does work, and, once you adapt yourself around the way it works, it works fine. The Web Helpdesk is a nice idea, but obviously something that you are expected develop a user interface for as part of your helpdesk software. For smaller IT operations no one is going to take time to customise it. It looks like an afterthought and is not intuitive to use. ActivIdentity could do a much better job of this to improve the out of box experience.
ActivID can integrate with Windows AD, but I found the interface a little funky (read not intuitive). The ability to be creative with group selection and username matching was limited. The entire management interface looked very dated to me.
Other tools in the box
ActivId has a lot of tools that allow it to integrate with other stuff. There are several directories on the CD that might be interesting if I need to integrate with other stuff. If you want these features then I suspect that my negatives might not be yours thus your mileage may vary.
If I had to work in a very large company, had access to software development resources and Windows administrators then the money saved compared to SecurID might be worthwhile. But if you are small to medium business with , say, less than 100 IT staff you will be better off with something else.
Once again, the quality of technical support lets an American product down. The favoured model by US tech companies of having their own tech support in America but handing it to distributors in the rest of the world continues to be a disappointment. Make sure that you take the time to check how the maintenance is delivered before you buy.